Why Does Phishing Work & Why Is It So Effective?


Phishing has been around nearly as long as email itself. It began with those “Nigerian Prince” style emails that promised someone a big reward if they just sent a little money to help out a prince. While those emails still circulate, they’ve been largely replaced by fake Amazon order receipts, Microsoft OneDrive file sharing emails, and a multitude of other scams designed to get people to click a dangerous link or download a malicious file attachment.

Phishing is the #1 cause of data breaches and other IT security attacks, such as ransomware, cloud account takeovers, firmware infections, and more. 94% of malware is delivered via phishing email. Why are people still falling for phishing attacks? Despite all the awareness about phishing and what it looks like, people still fall for it. One in three employees will typically be fooled by a scam email or social phishing message. All it takes is one accidental visit to a malicious site and an entire company can be infected with ransomware. We’ll dive into the reasons that phishing has remained so effective after all these years and why it’s still the main way that all types of cyberattacks are delivered.

Why Do People Fall for Phishing Attacks?

We have to look at human nature to understand why phishing attacks still work. Phishing is basically the grifter’s con of old. The perpetrator is trying to fool the person at the other end of a communication into believing what they’re saying, so they’ll do what they want. People will typically default to trusting an email, text, or social media direct message unless they’re given a reason not to.

Unfortunately, phishing still works and is the best way to deliver cyberattacks, which is why it’s still so prevalent. Phishing uses emotional approaches and tries to get us to forego logic. It’s looking for a human reaction, trying to get us to click before we think. This is similar to how con artists of old did things. Scammers would claim to be someone’s long-lost classmate that they barely remembered. Another tactic was claiming a hardship to pull on someone’s natural ability to help. All those same types of tactics come into play in phishing. Here are some of the emotional triggers that phishing scammers will use to get you to do what they want.

Scare Tactics

You’ll often see scare tactics used in a phishing email. You might receive a message that your antivirus is about to expire. You may be threatened with IRS fines if you don’t comply with a request to visit a website to “clear things up.” When faced with the potential of something bad happening, people will often take action first before they fully scrutinize a phishing email. 

The Promise of a Reward

One of the oldest phishing scams around is the promise that you’ve won some kind of lottery. Who isn’t tempted by the possibility of winning a large sum of money that could make your life easier and allow you to live out your dreams? The promise of something good at the other end of a click is another emotional tactic that scammers use often. These types of emails are designed to trigger the “happiness hormone” in the brain, dopamine, and get a person so excited about the potential for something positive that they throw caution to the wind. They think, “What IF I really did win something?”

Another common phishing scam used in business that employs the reward tactic is the fake purchase order. It comes disguised as a purchase order for a company by someone who wants to buy a lot of product. This is the recipient to quickly click to open a “purchase order” that turns out to be malware.

Anger-based Reaction

Anger is another emotional reaction that can cause a person to click on a phishing email. Anger and confusion are the triggers behind many of those fake receipt emails that you see, especially around the holidays. People will get a receipt that looks like it’s from Amazon or another online retailer for something they never ordered. They’ll immediately think someone has made a mistake or their account has been hacked. They click the button in the email that appears to be from Amazon to find out more. The user is hopeful they can get the “charge” reversed, but end up on a phishing site.

Does Your Computer Have You Properly Protected from Phishing?

Copperband Technologies can help your southern Kentucky or Middle Tennessee business put safeguards in place like DNS and email filtering that can reduce your risk of a breach due to a phishing incident. Contact us today to schedule a consultation! Call 931.263.8000 or email us.